Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2004427imm; Fri, 7 Sep 2018 09:21:15 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYoliwktpC8j/YzanASrHisHKSDWac5MSUMeYuVC2Xt9TYJpLS4irEnmZTInumMI46gilpc X-Received: by 2002:a17:902:b688:: with SMTP id c8-v6mr8817049pls.114.1536337274755; Fri, 07 Sep 2018 09:21:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536337274; cv=none; d=google.com; s=arc-20160816; b=EBp9/v0yOkwo6WB1brk1eDx0R2UKFWSrswsao+v5Jyew1/hHA2PO3FNz6m0zNXLRpO ha8EuauTm9YVHGE4HRj+EfEr/KtVyphtIIWPLOgurL5wNIE9ncum8u+68eq1BJ0hEF8A v99r0tt5LRRJxg3xMk7RdYmebicKwPMx3KJhxt/clCf7p2sPMWcxVQntkYpJyY7HqS3N dVMwyGraPf6Lhnyw9shbd1CXNCXGaSIuHV0fP4AcPSIRjpwo/pV1AsbP6lEIj/UWpYrv vip/MCqOdFHQDbO16Xc+ES8uDxbfu57TGuwwe5/I70JqazfOmPDoOPCVJfpaDhD0SZnF TWaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:cc:references:to:subject; bh=RE15DNilBtW1bWEs4ZAZ3T7uUkkD0ikyjGYP/58LjLg=; b=V6+qDInyO3qKIzfEnCg5kaPcvEaILeYw6YciSUaRCu7rNJJtrEFrwOXvPPxS43JUuQ +zUqOf38CGFciyZIpKNgIgMEd9RNhh0vmzHuFitze4UgDMnYrY6dXNif25PHe7sByhRa ChWVriIJxfjYLpmx0D51VA/ofpfso1jJplgS/WMkSUeRdZg1mLXJUa8vYLKokVfNrvKZ ZRK2e27KETZQP9VSKuBWrk/i9VqoeBV0TkVreHNXzBdilYsDH6RmybicXGNIh7y/W+zB SjmliJysRvb9U3Z+0MlUhVkcr1TyG1hxO68cH7a1sLavCrjIRQJK96LF1sQWWM0mnn6q UfJQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f62-v6si9041139pfb.218.2018.09.07.09.20.56; Fri, 07 Sep 2018 09:21:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727721AbeIGVAc (ORCPT + 99 others); Fri, 7 Sep 2018 17:00:32 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:53976 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726591AbeIGVAc (ORCPT ); Fri, 7 Sep 2018 17:00:32 -0400 Received: from fsav302.sakura.ne.jp (fsav302.sakura.ne.jp [153.120.85.133]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id w87GHqXd006448; Sat, 8 Sep 2018 01:17:52 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav302.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav302.sakura.ne.jp); Sat, 08 Sep 2018 01:17:52 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav302.sakura.ne.jp) Received: from [192.168.1.8] (softbank060157066051.bbtec.net [60.157.66.51]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id w87GHkAS006412 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 8 Sep 2018 01:17:51 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Subject: Re: BUG: bad usercopy in __check_object_size (2) To: keescook@chromium.org, keescook@google.com References: <000000000000e16cba057549aab6@google.com> Cc: syzbot , crecklin@redhat.com, dvyukov@google.com, hpa@zytor.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, luto@kernel.org, mingo@redhat.com, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, x86@kernel.org From: Tetsuo Handa Message-ID: <14d5bccf-f12d-0fc1-eddc-9fb24dc0cf14@I-love.SAKURA.ne.jp> Date: Sat, 8 Sep 2018 01:17:44 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <000000000000e16cba057549aab6@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018/09/08 0:29, syzbot wrote: > syzbot has found a reproducer for the following crash on: > > HEAD commit:    28619527b8a7 Merge git://git.kernel.org/pub/scm/linux/kern.. > git tree:       bpf > console output: https://syzkaller.appspot.com/x/log.txt?x=124e64d1400000 > kernel config:  https://syzkaller.appspot.com/x/.config?x=62e9b447c16085cf > dashboard link: https://syzkaller.appspot.com/bug?extid=a3c9d2673837ccc0f22b > compiler:       gcc (GCC) 8.0.1 20180413 (experimental) > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=179f9cd1400000 > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11b3e8be400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+a3c9d2673837ccc0f22b@syzkaller.appspotmail.com > >  entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x440479 > usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 64)! Kees, is this because check_page_span() is failing to allow on-stack variable u8 opcodes[OPCODE_BUFSIZE]; which by chance crossed PAGE_SIZE boundary?